Slashdot Mirror
Writing Down Passwords?
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
No, no, just post them to Google Groups! That way you can always get back to them no matter where you are!
Given a choice between free speech and free beer, most people will take the beer.
Aren't all the reasons that this is a good/bad idea the same as they were then?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
which ran a few weeks back, and which has some pretty sound reasoning behind it.
I do believe that there is also "some pretty sound reasoning" when the users decide to share their whole drive together with the passwords on P2P. I mean, by doing that, one can sleep peacefully knowing that his password is redundantly stored, for the next n years.
Give me a break. Security is designed by the need for it. There is a need to protect your email password because even email has a legal standing as a form of communication. Same goes for your personal and work files.
In your own home, who else is going to find a piece of paper with your password on? For a router that you configure and forget, writing down the password sounds reasonably sensible to me.
I've got this thing called a spiral bound notebook...
remember when it was {of|for|by} the people?
I don't write them down because I generate passwords with a little app that I wrote that scrambles together 2 or 3 passwords I can remember and generates a upper/lower/number/letter/symbol password for my usage... but I don't see a problem with writing down a password. I would probably keep it in my wallet or whatever and not just have it laying around. Maybe even do something clever like make all the consanants upper case and the vowels lower case but write it down in reverse, or add two to the numbers and keep all numbers 0-7 .. you could get clever with it and still keep it simple to decode.
The Technomancer
"Men of lofty genius when they are doing the least work are most active."-
PGP disk.
You can then store your passwords in any format you like, xls, txt..etc
I figure that it would be a lot safer to have a secure password in my wallet than an insecure one committed to memory.
However, I imagine that there's merits to both sides of the argument.
I found out about KeePass (http://keepass.sourceforge.net/) on that previous story, so I've started using it. It's a very handy utility to have! It can keep track of all my passwords for various email accounts, websites, etc. It's a simple program that (based on my experience so far), just works!
If you wanted portability, you could keep your password database on a USB memory drive and carry that around with you.
I see that they just released 1.0 on June 4th - congrats!! I highly recommend people check it out!
My experience with it is that it is ok. I'm not a raving proponent, but it works as advertised.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
....because to get all your passwords, the l33t after-school hackers would have to *gasp* leave the basement, and presumably do some breaking and entering to get your list...
I use it and it works well. I started when I got an online banking account that wouldn't let me use my standard username. I had to have mixed case and numbers in both my username and password. I got KeepPass and now store everything in there.
It runs in my system tray and I can click, enter my master password and have access to all my passwords. It has also let me use long random passwords for my very important sites since I don't need to remember them any more.
Also you can use a USB key as part of the key to unlock the database so you have the something you know + something you have security.
Password Safe
Then just lock it in a safe. The problem with that is I wrote the combination on a sticky note somewhere and I can't find it. As a backup I copied it into a text file and uploaded it to a remote server with a non-obvious name but unfortunately I forgot what I called it. :-( Next time I'm just going to keep the combination taped to the front of the safe.
Kiss your ass goodbye if you lose that password!
Intron: the portion of DNA which expresses nothing useful.
Hide them where cr@ck3rz will least expect them - your blog!
Simpy
Writing the passwords down is good for remembering, and that itself is not what makes it a security issue. It is writing it down and leaving it for someone else to find that is bad.
A year back at my old school, a teacher left her password for school network access taped to her monitor. A student found it used that to take down the enire network. Took down everything from the entire school's grades, email, library system and of course internet access.
Yes email them to me, along with your credit card numbers.
Either that, or call the help desk like I do.
They always seem to know what it is.
We're on a first name basis.
I dream in binary.
Should you drive on the left hand side of the road, or the right hand side?
Despite what some people seem to think, there's no "right" answer other than following the context. I live in the US and routinely drive on the left hand side of the road... on one way streets where I'll be turning left soon. I've done it on interstates... where the right hand lanes were closed due to construction and the oncoming traffic was moved onto the access road.
Writing down passwords is the same deal. It's a Bad Idea in your cubicle. It's a Cause For Termination Idea if you're a sysadmin.
But on a router at home, or in a locked wiring cabinet? It's a damn good idea. On a card in your wallet, especially in that zippered compartment so it can't accidently slip out? Good idea, unless you routinely leave your wallet unsecured. In which case you're an idiot with bigger problems than just writing down your passwords.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Well, how good is your physical security?. If the system will be accessed from an environment where there are likely to be unauthorized people wandering around all the time (large office, public area, etc), then don't write it down. If the system will be accessed from a place that only people you trust have access to (home), then it's not a danger- and if your home is ever compromised, having your router password in plain sight is the least of your worries.
May 2001 Crypto-gram
See Jon Udell's
Simple single sign-on article from May 2005:
It points out a few simple solutions that will solve many people's problems.
Simpy
If you're a pocket-picking cracker with common sense, you'll probably realize that "Hey, this business card with nonsensical combinations of letters and numbers scribbled on it might actually have some sort of significance." Or maybe the owner just has an ASCII fetish.
Disassociating the passwords is of course a good idea *if* you must write down your passwords because this way if you just lose it, no one will know how to use the information. It doesn't protect you from a thief, however.
"Screw slashdot." -- Linus Torvalds
I have a rather large master password list for every server at work which I store this way. It's quite handy.
KeePass http://keepass.sourceforge.net/
The security of writing down passwords depends upon the security of the paper they are written upon.
If you have a router/firewall on your Internet connection, and you write the password(s) to the router on a piece of paper taped to the router, then you are not really reducing your security - if the bad guys are in the room reading the password you are already in trouble.
However, if you write your workstation password down on a piece of paper under your keyboard, and other people can reasonably be expected to have access to your office, then you are greatly reducing your security. If, on the other hand, you have your password written down on a piece of paper you keep in your wallet, then the reduction in security is fairly minimal - especially if there is nothing in your wallet that would lead the bad guys to your workstation.
www.eFax.com are spammers
A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.
so it may be good to write down your passwords, as long as they are secured either on your person at all time, or locked in a vault someplace...
either way this is no real sub for godd old fashioned remembering things... just change your passwords on a timely schedule.
i have 20+ sites/programs that i change my passwords for ranging form ssh tunneling, to remote email servers to FTP servers...
i have 5 master phrases, one for each type of password protedted app/protocal, that i use to create strong alpha numeric symbolic passwords from. esentially its my own leet speek. i write down a single hint on a sticky in my wallet that will remind me of the type of replacement i used. as i use the same type of replace ment for all phrases, though it changes regularly...
there is no real good reason to write down passwords to any thing you want to keep secure. write down a hint that only you will understand, and make sure that you will remeber what it means.
just to show you kinda what i do ill use one of my old phrases:
midgetslutsdontlikeanalsex
how are you not gonna remember that....now just replace two character with numbers (preferbly not 0 for o or anything like that..more like 3 for 0)
and then replace two more letters with special characters.
a possible password using this type of "encryption" could look like:
1i@get0l9y0@o)tlikea)alsex
that will probably take a long time to break...
Has anyone used this product at all? http://keepass.sourceforge.net/ [sourceforge.net] If so would you care to comment on using it?
I for one have been keeping my ass for quite many years now, and it has worked fine for me. YMMV
It's a good idea to hide passwords that you've written on paper - but you don't need a safe. Just stick it to the bottom of the keyboard like I do. No one will every find it there.
Tech News, Reviews and Tutorials
Bruce Schniers (now Open Source) App:
Password Safe
Is exactly what you need to "write down" passwords with. You only need remember a single password to decrypt the database. And since the database uses Blowfish, it is pretty damn good.
I have over 50 username/password combos stored in mine with a strong password to open the database itself.
If you need to write down a password, this is the way to do it.
Try to hack my 31337 firewall!
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
I Am My Own Worst Enemy
If you are willing and able to get into the wire room by any means ( either by breaking in, or sneaking in, or even walking in ), why would you bother with the password? You could just insall a hidden tap and be done with it.
I keep a few of my all-number passwords (that I can never remember) on my cellphone as bogus phone numbers in the phonebook.
1. pick a number (one to three digits probably)
2. add 5
3. multiply by 3
4. square this number
5. add the digits over and over until you get only one digit (i.e. 64=6+4=10=1+0=1)
6. if the number is less than 5 then add five otherwise subtract 4
7. multiply by 2
8. subtract 6
9. use this number to select a letter of the alphabet 1=A, 2=B, 3=C, etc.
10. pick the name of a country that begins with that letter
11. take the second letter in the country name and think of an animal that begins with that letter
but wait...
there are no elephants in Denmark!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
could you paste the lines of perl here or provide a website?
I tell my users that if they do write down their password/creds that they should treat it in the same way they do their drivers license or passport. After all, those are credentials too and it provides a good analogy so people can better understand what their responsibilites are regarding them.
That's often not enough though. I also tell them the first time I see their creds in the open that I'll remind them of the policy. After that, their password documents will be destroyed immediately and without notice on sight if discovered in the open again... and that their password will be changed just as fast.
Call that a bit draconian if you will but I see it as a way to meet people in the middle. I can issue strong passwords without having to think about wether people will remember them, and as long as people treat their credentials like responsible adults I don't have to worry about adverse disclosures.
Truth is people are going to write down their passwords no matter what you tell them to do. Providing a climate where people aren't afraid of admitting it and setting an official policy regarding how that's handled can help you manage risks that otherwise would be hard to approach.
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
I keep all of mine in my palm pilot, which is always conveniently situated in my back pocket.
When I find I need a new one, I just transfer them over. Manually. I am old-school.
-- yawn. --
My whole system was running like a greased skillet until you mentioned that.
Now I can't remember a damn thing...
My days of not taking you seriously are certainly coming to a middle...
I thought what he had posted was the Perl script.
I think that they want people to write down passwords so that people will feel okay making more complex passwords. That way they [won't be / are less likely to be] ripped off by a bruteforce dictionary attack, just a crowbar attack through their front door.
Zoeith
Could some visitor climb under my desk and look at the password if they wanted? Yes, but they could also climb under the desk and hit the reset button, and it's not *that* big a stretch to figure out that the DHCP is now set for 192.168.0.0/24 instead of 192.168.1.0/24.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Just as long as they're being appropriately hidden. One of the few times that I ever snapped at a user without being provoked was when I saw, in the HR department, the name of the bank, dial-up number, account number, and password for the payroll account on a Post-It on the user's bulletin board, with the following words in big letters:
PAYROLL ACCOUNT MASTER LOGIN
I ripped it down and handed it to her, telling her somewhat angrily that she needed to lock it in a secure location, or I would escalate it to the head of HR and the head of IT. I came back everyday for a week, and periodically for a few months afterward, at times when the user was not there to ensure that it had not been placed in any semi-obvious location, and that all of the cabinet drawers were locked. I still ended up telling the mentioned managers, but in a more general way that they needed to do more to focus on security of accounts, among other things. They implemented training a couple of weeks later, fortunately.
You can never go home again... but I guess you can shop there.
that's a really cool idea, however, once someone realizes that each letter has a two character code, they could just do a dictionary attack on you and it would be fairly simple to "guess" the word you're using because the dictionary would guess it for you.
I use a similar aproach but mine is kinda foolproof. I think of a word that I would know that's not in the dictionary... like blumpy. Then I pick a symbol like & or *. Then I take this and make, for example, my bank password: blumpy&bank, and lets say my slashdot password: blumpy&slashdot. So it's easy to remember, just remember blumpy& and change it ever so often if you want.
Amazing! That's the same combination as my luggage!
Oh, Edmund, can it be true? that I hold here, in my mortal hand, a nugget of purest green?
If someone found the card, a dictionary attack would be slowed down by a factor of... 1, because it's just a simple substitution cipher. Plus, you must use longer passwords, otherwise the two-char substitution means the actual key is only half as long as it is entered. It's still a neat system, because it's poor-man's two-factor authentication. You have something (a substitution cipher key), plus you know something (the original key). Strategically, it's better than storing the original key in your wallet, cheaper than an RSA fob and no authentication system tweaks are required. On the other hand, it's not the best solution either, because it essentially documents the keyspace, which makes it that much easier to brute force.
Also, a "dictionary attack" doesn't have to mean someone scripting logons based on a dictionary. In fact, such a thing would usually not work. Assuming you could try 100 passwords/sec (pretty unlikely) it would take many, many years to exhaust an 8 char password with a 26 char keyspace. Success of a dictionary attack typically requires you have the hash and can generate & compare as many passwords/sec as you have compute power.
Song lyrics are useful too : TaLWSATGiG There's a Lady Who's Sure, All That Glitters is Gold Usually gives you mixed case too, if you treat it like a title (ie minor words like is as the etc are lower case)
All available data suggest that regardless of any of this, the sun will still come up tomorrow.
I'm sitting here reading /. because I fucking can't remember the fucking root password to a server that I'm supposed to administer as a favor to a friend. I changed it two months ago, haven't needed to get on the fucking machine since and now, when I need to fix it, I can't remember what the fuck I changed it to. And no, I can't just stick a rescue boot disk in because I don't know what fucking city the server is in.
Note to self: Next time, write down the fucking password and put it in the fucking file cabinet.
Note to poster: Did you ask this fucking question just to fuck with my mind or was it pure coincidence?
FreeSpeech.org
Several years ago I came to realize that one can either work with human nature and win; or work against it and lose. In the arena of passwords anyone who recommends NOT WRITING passwords down is declaring themselves against human nature. I tell users, "By all means write your password(s) down. However, treat that piece of paper like it were a $1000 bill. You wouldn't put a $1000 bill in your desk or under your keyboard. Don't do it with a password." It isn't the written password that is the problem. It's the casual treatment of something valuable.
Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.
Just as long as they're being appropriately hidden.
There is something to be said for a report like Microsoft's, which has proper reasoning behind it, etc. But NetGear's idea of telling the average end-user that "the experts are wrong, there's no problem writing your password down" just encourages people to write their laptop password on a post-it and stick it to their laptop (which is *always* a stupid thing to do).
If you're going to tell people to do something that may risk security, you _must_ tell them when it's appropriate and how to limit the security risk.
http://blog.nexusuk.org
Well, it's assuming that any one web site they visit stores a non-hashed version of the password.
I once had a well respected commercial web site mail me my password. Not only was the fact that they sent it in email bad, but it was also obviously stored on their machines unhashed. And it was a password that could be used to access my credit card info that they had on record.
Of course I told them their computer security staff should be fired immediately. Never heard back. They were probably the ones that read the email.
Devon
If you've got a bunch of machines that rarely need to be messed with locked inside rooms/closets that will be in easy reach of the administrator(s), you can give each one a unique, high-entropy password and tape it to the box. Then a compromise of one of them will not compromise any others. If an attacker has physical access you're 0wn3d anyway.
This is particularly useful when you're doing a small business setup, when the "administrator" is the person in the office with the strongest computer skills, but has a completely different job description, and is likely to lose track of a notebook or whatever else. Contrary to the environments a lot of slashdotters work in or have worked in, most people work in companies with no dedicated technical staff, so it's quite helpful to set them up with something like this, especially if you're the contractor/friend/relative who they'd call when they need to change something and can't. Anyone who's done enough support has probably had the realization that every request to change/reset a password is an inherent security risk.
The physical access warning is key though. Left to their own devices, they won't think twice about putting the server in plain view in the reception room.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
..."fucking"?